Governments defines IoT Code of Practice to make security built-in, not bolt-on

The IoT has a poor cyber reputation. Manufacturers often fail to install appropriate safeguards on their products, and consumers lack the know-how to change default passwords or update pre-installed software.

With connected devices now controlling entire homes full of electronics, including door locks, childrens' toys, cameras and medical products, the importance of security is greater than ever.

In an effort to combat that insecurity, the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) have set out plans to embed security by design, rather than as an afterthought, in IoT devices.

The government has worked with industry partners to develop a new Code of Practice, to improve security and consumer safety.

The Code defines 13 guidelines for manufacturers, service providers, developers and retailers to implement in order to ensure that IoT products are safe to use. They are:

1. No default passwords

2. Implement a vulnerability disclosure policy

3. Keep software updated

4. Securely store credentials and security-sensitive data

5. Communicate securely

6. Minimise exposed attack surfaces

7. Ensure software integrity

8. Ensure that personal data is protected

9. Make systems resilient to outages

10. Monitor system telemetry data

11. Make it easy for consumers to delete personal data

12. Make installation and maintenance of devices easy

13. Validate input data

HP Inc. and Centrica Hive are the first companies to sign up to the new Code. Minister for Digital Margot James said that these pledges are "a welcome first step," but "it is vital other manufacturers follow their lead to ensure strong security measures are built into everyday technology from the moment it is designed."

The government has published a mapping document to make it easy for other manufacturers to follow HP Inc. and Hive Centrica's example; and a document for consumers with guidance on securing IoT devices in the home.

CA Veracode's Consultant Solution Architect, John Smith, praised the move:

"This government initiative is exactly what many in the industry have been craving for years. Manufacturers have not really felt any market pressure to improve the security of these devices because consumers still have a lack of understanding of the security implications of IoT devices.

"Providing concrete guidance to manufacturers while also raising public awareness of these issues can only help address the gap that currently exists. It's not just about the hardware anymore, it's about the software behind it, and it's really encouraging to see that the UK government wake up to the potential vulnerabilities in consumer IoT devices."

Further reading

• Security

Government to demand 'security by design' in new measures to tackle IoT security

• 07 Mar 2018

• Security

Most off-the-shelf IoT devices carry 'frightening' security risks, warn researchers

• 13 Mar 2018

• Security

MIT researchers develop transmitter to prevent hackers from attacking IoT devices

• 08 Jun 2018

• Security

Microsoft announces Azure Sphere to fight security threats hitting IoT devices

• 17 Apr 2018

• Tweet  
• Facebook  
•  
•  
• Send to  

• Topics
• Security
• Government
• Internet of Things
• ncsc
• iot
• DCMS